Affinity Bancshares, Inc. - (AFBI)

10-K Filing Date: March 21, 2024
ITEM 1C. Cybersecurity

Our risk management program is designed to identify, assess, and mitigate risks across various aspects of our company, including financial, operational, regulatory, reputational, and legal. Cybersecurity is a critical component of this program, given the increasing reliance on technology and potential of cyber threats. We use people, process, and technology controls to manage and mitigate cybersecurity risk. Our Chief Operations Officer is primarily responsible for this cybersecurity component and is a key member of the Information Technology (“IT”) Committee, reporting directly to the Chief Executive Officer and, as discussed below, periodically to the board of directors. Our Chief Operations Officer has more than 15 years with the Company.

Our objective for managing cybersecurity risk is to avoid or minimize the impacts of external threat events or other efforts to penetrate, disrupt or misuse our systems or information. The structure of our information security program is designed around the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework, regulatory guidance, and other industry standards. In addition, we leverage certain industry and government associations, third-party benchmarking, audits, and threat intelligence feeds to facilitate and promote program effectiveness. Our Chief Operations Officer along with members of the IT Committee, regularly

23


 

collaborate with peer banks, industry groups, and policymakers to discuss cybersecurity trends and issues and identify best practices. The information security program is periodically reviewed by such personnel with the goal of addressing changing threats and conditions.

We leverage people, processes, and technology as part of our efforts to manage and maintain cybersecurity controls. We also employ a variety of preventative and detective tools designed to monitor, block, and provide alerts regarding suspicious activity, as well as to report on suspected advanced persistent threats. We have established processes and systems designed to mitigate cyber risk, including regular and on-going education and training for employees, preparedness simulations and tabletop exercises, and recovery and resilience tests. We engage in regular assessments of our infrastructure, software systems, and network architecture, using internal cybersecurity experts and third-party specialists. We also maintain a third-party risk management program designed to identify, assess, and manage risks, including cybersecurity risks, associated with external service providers and our supply chain. We also actively monitor our email gateways for malicious phishing email campaigns and monitor remote connections. We leverage internal and external auditors and independent external partners to periodically review our processes, systems, and controls, including with respect to our information security program, to assess their design and operating effectiveness and make recommendations to strengthen our risk management program.

In many instances we rely on third-party providers to facilitate providing products and services to our customers. As a part of our overall cybersecurity risk management framework and, in addition to assessing our own cybersecurity preparedness, we also have a process in place to manage cybersecurity risks associated with third-party service providers. To help mitigate adverse impacts from a cybersecurity incident, we assess third-party vendors as a part of our vendor onboarding and continued due diligence which includes processes to assess information security posture. Depending upon the level of perceived security risk, we may impose security requirements upon a supplier, including: maintaining an effective security management program; abiding by information handling and asset management requirements; and notifying us in the event of any known or suspected cyber incident. We periodically conduct (or engage a third party to conduct) reviews of third-party hosted applications with a specific focus on any sensitive data shared with third parties. The internal business owners of hosted applications, depending upon the level of risk, are required to provide a report as to their controls (e.g., a System and Organization Controls (SOC) 2 or ISO 27001 (Information and Security Certification) or similar report).

We maintain an Incident Response Plan that provides a documented framework for responding to actual or potential cybersecurity incidents, including timely notification of and escalation to the Board. The Incident Response Plan is coordinated through the Chief Operations Officer and key members of management are embedded into the Plan by its design. The Incident Response Plan facilitates coordination across multiple parts of our organization and is evaluated and tested at least annually.

Notwithstanding our defensive measures and processes, the threat posed by cyber-attacks is severe. Our internal systems, processes, and controls are designed to mitigate loss from cyber-attacks and, while we have experienced cybersecurity incidents in the past, to date, risks from cybersecurity threats have not materially affected our company.

 

Our board of directors has established the IT Committee, which focuses on technology impact on all aspects of the bank. The IT Committee provides oversight and governance of the technology program including the information security program. The IT Committee includes the Chief Operations Officer and key departmental managers from throughout the entire company. The IT Committee generally meets monthly to provide oversight of the risk management strategy, standards, policies, practices, controls, and mitigation and prevention efforts employed to manage security risks. More frequent meetings occur from time to time in accordance with the Incident Response Plan in order to facilitate timely informing and monitoring efforts. The Chief Operations Officer reports summaries of key issues, including significant cybersecurity and/or privacy incidents, discussed at committee meetings and the actions taken to the IT Committee on a monthly basis (or more frequently as may be required by the Incident Response Plan).

The board of directors is responsible for overseeing our information security and technology programs, including management’s actions to identify, assess, mitigate, and remediate or prevent material cybersecurity issues and risks. Our Chief Operations Officer provides monthly reports to our board of directors regarding the information security program and the technology program, key enterprise cybersecurity initiatives, and other matters relating to cybersecurity processes. The board of directors reviews and approves our information security and technology budgets and strategies annually.